Fraud Protection

Best Practices to Combat Business Email Compromise

Man looking at his computer

As financial institutions continuously work to improve their protection against fraudulent activity, potential fraudsters are shifting their tactics to those who are more vulnerable—banking clients. In fact, losses related to Business Email Compromise (BEC) as well as Email Account Compromise (EAC) totaled over $12.5 billion between October 2013 and May 2018, and saw a 136 percent increase in identified global exposed losses between 2016 and 2018.1 BEC and EAC occur when a fraudster gains access to a company account in attempt to defraud a company or employee—a trend showing no signs of slowing down.

However, the power to prevent most of these attacks is already at your fingertips, provided you are dedicated to staying aware and vigilant.

77% of financial organizations said they experienced BEC scams in 2017.2

Trace Fooshee, head of fraud strategy for SunTrust Bank, sheds some light on the dangers shaping today’s world of fraudulent activity as well as preventative measures you can take to make sure these attempts are stopped at the door.

Fraud prevention starts with the employee

It's important for businesses to be proactive when guarding against fraud, Fooshee says. "Don't just wait for it to happen. Raise your security profile and deputize employees to be aware of various threats so you can fight fraud together."

Spoofing is just one popular fraudulent attempt that might slip through the cracks, as it’s subtle in its deception. Spoofing occurs when an imposter hides the origin of a fraudulent email by mimicking a sender’s email address. Fooshee breaks this down a bit more clearly:

“Say ABC is a company that works with vendor XYZ and pays them $1,000 a month. This money normally goes into account number 123. Spoofing happens when someone impersonates XYZ and sends an email to accounts payable at ABC asking them to redirect payments from 123 to 678, which is obviously the imposter’s account. This fraudulent email might appear as XXYZ or ZYX, a slight differentiation of the legitimate email address, and if the receiver is not looking closely enough, then this could slip right by unnoticed.”

In 2017, impersonation through spoofing increased by 50% on a quarter-by-quarter basis.3

Many employees would be inclined to quickly comply with the vendor’s request, believing this email is legitimate. Instead, the employee should take an additional step to make sure this is a valid request.

“It can be difficult to spot spoofing, but many instances could be avoided if individuals are paying close attention, especially for higher-risk events like changing the account number of a payee,” Fooshee says. “Instead of redirecting the payment right away or replying to the email, forward that email first to your vendor’s contact. Make sure this is legitimate. Or, just pick up the phone and verify where the email is coming from.”

Tip: If you discover you’ve made a fraudulent payment, the first thing to do is contact your bank. The bank will issue a recall attempt for the payment. Time is of the essence.

Spoofing is only one example of common fraudulent activity. There are many ways a fraudster can reach an employee.  

“Fraudsters try all kinds of things, but some are more common than others. For example, look for words or phrases that aren’t commonly used in American English,” Fooshee says.

Practice good email hygiene

“Most important is to trust your judgment,” Fooshee says. “If something seems off about an emailed request, then pick up the phone and call the person making the request. An ounce of prevention is worth a pound of cure, especially when the stakes are many thousands of dollars in lost funds.”

Dual control is an important measure to have in place. Dual control simply means a second administrator is required to review the request (or payment) and approve it before action can be taken.

Other best practices for security include:

  • Setting up spam filters
  • Protecting passwords
  • Not sharing sensitive information
  • Limit information shared on social media or company website about employees and their roles

“Fraudsters are looking at all of the information they can find, so don’t make it so easy for them,” Fooshee says.

Only 19% of individuals actually change their passwords at the recommended time.4

Common sense security practices will help a company keep its financial, personal and business information safe. IT departments will lead the charge in implementing company-wide security protocols, but there is much that can be done at every level.

Keep your information safe

Learn more about the trends shaping the world of fraud and how you can be better prepared to keep attacks from hitting your organization.

1 “Business E-mail Compromise, The 12 Billion Dollar Scam,” January 2018, Federal Bureau of Investigation

2 “2018 Payments fraud and Control Survey Report,” 2018, Association for Financial Professionals

3 “Report: Email attacks increasing, but none as much as impersonation phishing,” December 2017, TechRepublic

4 “The 2018 Global Fraud and Identity Report,” 2018, Experian

This content does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.